Financial firm blazes a trail to go live with PKI Web solution

In an attempt to force the pace on the adoption of a standard for secure digital signatures, financial services firm...

In an attempt to force the pace on the adoption of a standard for secure digital signatures, financial services firm Andersen-Charnley has unveiled its preparations for a roll-out of a secure system for online transactions.

Financial planning and portfolio management company Andersen-Charnley is a pioneering the use of public key infrastructure (PKI) technology. The firm will become one of the first financial institutions to go live with a PKI-based Web security implementation when it relaunches its Web site in December.

Although the jury is still out on PKI, Andersen-Charnley has decided it cannot afford to wait for banks and City firms to agree technology standards. It plans to use its muscle to persuade large financial institutions that digitally signed documents are far-more reliable and secure than paper.

In a unique experiment, Andersen-Charnley has agreed to open up its doors to Computer Weekly for the duration its digital signature project. We will be sitting in on meetings, listening to discussions with suppliers and following the progress of the project, from its initial definition, right through to implementation.

Keeping up to speed with the latest technology is more important for Andersen-Charnley than for most financial services companies. For the past 10 years, the company has been advising high-earning executives in the UK's IT and telecommunications firms - organisations like Sun and Cisco. They expect the latest and the best IT security.

With only 25 staff, Andersen-Charnley lacks a full-scale IT department, but it has been able to develop its technology strategy by working closely with its high-tech clients. Their advice was instrumental in the company's plans to launch a Web site and to adopt digital signature technology.

"We have a degree of technical expertise, but we are not technical experts," said Avril Millar, operations director. "But we are talking to our clients all the time. We have the ability to tap into people with real end-user knowledge and experience."

Digital signatures are critical to Andersen-Charnley's business plan. The company wants to give its time-pressed executives, who currently have to fax or post written instructions, the ability to authorise share deals quickly and securely over the Net.

But the firm has been held back by the lack of progress made by government-backed efforts to introduce digital signatures to the UK. Although the technology has already been recognised by the European Union and Germany, the UK is still working out the practicalities of the system.

"This year we were supposed to have implemented a paperless office. It is fundamental to us. We have not been able to because of lack of agreement by the Government on digital signatures," said Chris Loynes, managing director and joint founder of Andersen-Charnley.

The company now hopes to force the pace by introducing its own PKI system ahead of the large financial firms. "It is a pre-emptive strike. We want to force the institutions to accept secure e-mail," he said.

The technology will allow Andersen-Charnley to use its Web site as far more than an information source. Clients will be able to look at their tax plans and review their portfolios online knowing that their details cannot be viewed or altered by anyone else.

In recent months Andersen-Charnley has evaluated PKI products from three IT suppliers and has now decided to opt for a system from US firm Xcert.

After an initial getting-to-know-you meeting earlier this month, Andersen-Charnley has asked Xcert to come back this week with its recommendations. Computer Weekly will be sitting in on the meeting.

"We are not technical experts and the list of questions we have is astronomical," said Millar. Her concerns include:

nWhat ongoing maintenance will the system need? Andersen-Charnley cannot afford to be without its systems for even half a day. One lost e-mail could be disastrous.

nWill clients feel happier if Andersen-Charnley hosts the system in-house, or would it be better to outsource?

nWill the PKI system affect the performance of the Web site? A 30-second wait would almost certainly deter busy executives.

nShould the PKI system be rolled out in one go, or would it be better to roll it out gradually?

nThe biggest question, however, is Andersen-Charnley taking too much of a risk by striking out so early with a digital signature system?

"The lack of a UK standard on Internet PKI is a concern. But a more fundamental concern is the security of our company and our clients. And so we have taken the decision to go ahead now, rather than compromise security and client confidence," explained Millar.

t Will Xcert be able to satisfy Andersen-Charnley's concerns? You can find out by following the project's progress in future issues of Computer Weekly

What is PKI?

Public key infrastructures use mathematically generated digital certificates to prove the identity of Internet users. Andersen-Charnley plans to use the technology to ensure that only genuine clients can access their confidential details on the Andersen-Charnley Web site. The company will also add a digital signature to the advice it e-mails to clients, so they can be sure the advice has genuinely come from Andersen-Charnley. Digital signatures are generated using public key encryption technology.

Andersen-Charnley's IT

Andersen-Charnley, a financial services company employing 25 staff, was formed 10 years ago to offer financial advice to high earners. Most of its clients are executives in the IT and telecommunications industries. The company, which advises on tax planning, tax returns and share portfolio management, began developing a Web operation a year ago. It plans to add PKI technology to the site by the end of the year. Its strategy is to become a Web-based, paperless company. Current systems include:

  • A Dell Poweredge 2400 back-office server running Windows 95/98/NT runs 1st client management package and an SQL client database

  • 20 desktop PCs run Windows 95/98/NT and Microsoft Office

  • 2D Web site hosted by Screen Pages

  • 3D Web site being developed by VR Marketing

  • Read more on IT risk management